Archive for cloud

Password fatigue is something we’ve all experienced at some point. Whether it’s due to breaches and the ever present, ‘update password’ warnings, the corporate policy of a 90-day rotation or simply registering for a website with yet another unique username and password. Social login or social sign-in allows people to use their existing Google, Twitter, Facebook, LinkedIn or other social credentials to enter a web property, rather than creating a whole new account for the site. These can be used to authenticate, verify identity or to allow posting of content to social networks and the main advantage is convenience and speed.

Here, you now have a choice and can authenticate using any one of the 4 external resources. Azure AD Enterprise and AD B2C along with Google and Facebook. Google and Facebook are very popular social login choices - as shown in the initial image above - where organizations are looking to authenticate the users and allow them to authorize the sharing of information that Google and Facebook already have, with the application.

In this case, we have an application behind BIG-IP that is relying on getting such information from an external third party. For this, we’ll select Facebook. When we click logon, BIG-IP will redirect to the Facebook log into screen.

Now we’ll need to log into Facebook using our own personal information. And with that, Facebook has authenticated us and has sent BIG-IP critical info like name, email and other parameters.

BIG-IP has accepted the OAuth token passed to it from Facebook, extracted the info from the OAuth scope and now the application knows my identity and what resources I’m authorized to access.

We can do the same with Google. Select the option, click logon and here we’re redirected to the Google authentication page. Here again, we enter our personal credentials and arrive at the same work top.

Like Facebook, Google sent an authorization code to BIG-IP, BIG-IP validated it, extracted the username from the OAuth scope, passed it to the backend application so the application knows who I am and what I can access.

Let's look at Microsoft. For Microsoft, we can authenticate using a couple editions of Azure AD – Enterprise and B2C. Let’s see how Enterprise works. Like the others, we get redirected to Microsoftonline.com to enter our MS Enterprise credentials.

In this instance, we’re using an account that’s been Federated to Azure AD from another BIG-IP and we’ll authenticate to that BIG-IP. At this point that BIG-IP will issue a SAML assertion to Azure AD to authenticate me to Azure AD. After that, Azure AD will issue an OAuth token to that BIG-IP. BIG-IP will accept it, extract the user information and pass it to the application.

Finally, let’s see how Azure AD B2C works. B2C is something that companies can use to store their non-corporate user base. Folks like partners, suppliers, contractors, etc. B2C allows users to maintain their own accounts and personal information. In addition, they can login using a typical Microsoft account or a Google account. In this case, we’ll simply use a Microsoft account and are directed to the Microsoft authentication page.

Social logins can not only help enterprises offer access to certain resources, it also improves the overall customer experience with speed and convenience and allows organizations to capture essential information about their online customers.

Cloud is all the rage these days as it has matured into a bona fide, viable option to deploy your applications. While attractive, you may also want to apply, mimic or sync your traditional data center policies like high availability, scalability and predictability in the cloud.

Here we’ll walk through how to create a simple single NIC (sometimes called “one ARM”) instance of BIG-IP VE in the Amazon Web Services console.

Open the AWS management console and click VPC (Virtual Private Cloud) to dive right into the VPC wizard and create a simple, single public subnet VPC.

Give it a name, accept the other defaults and click Create VPC. When it creates a VPC, it also creates a security group for the VPC. There we’ll want to check some of the rules associated with the security group.

Give it a name, accept the other defaults and click Create VPC. When it creates a VPC, it also creates a security group for the VPC. There we’ll want to check some of the rules associated with the security group.

The source can be the security group itself or you can replace with a specific IP range. While not the safest, here we’re allowing all traffic. You can also edit the outbound rules if needed.

Next, for our application server, we’ll want to create an EC2 instance of a Microsoft Windows machine with a webpage on it in the VPC. The location of your application server is up to you. For this article, you can see we’ve created an application server with a private IP address along with a corresponding public IP address. You don’t need the public address unless you need to connect directly to the app server.

Next we’ll want to deploy an instance of BIG-IP in the VPC. We’ll search the Marketplace for BIG-IP hourly but you can also use your current BIG-IP license in a Bring Your Own License scenario. There are various throughput limits and BIG-IP module bundles so choose what’s appropriate for your situation. (See this doc for more info on recommended instances)

We’ll choose our region and click continue and then Launch.

We’ll then want to select an instance type and when we get to the Instance Details screen, we’ll choose the VPC and subnet we created earlier. You can make more adjustments here or simply accept the auto-assign defaults.

We’ll move through the Storage step and hit the Add Tags spot and give it a name value, like BIG-IP VE1. Often it is just a simple name so you can find it in the list of instances.

Next we select the existing security group we created or we can create a new one. Since the one we created was wide open, you could create one that allows only port 22 (for SSH), port 443 (for web application/virtual server traffic), and 8443 (for management/Config utility access).

Once that’s done we’ll click launch and select our key pair. You’ll use the key pair when you use SSH to connect to BIG-IP VE.

We get the status page as it launches. The one thing to remember is to allocate an elastic public IP so the BIG-IP instance can hit the license server for verification. You can also use that public IP to connect to the config utility and as the Virtual server address. Once the BIG-IP instance is up and running, you can’t access it until you’ve connected and set a strong admin password. You can do this with PuTTy and the key (Connection > SSH >Auth).

Once we’ve locked it down with a strong password, we’ll use the public IP and take a look at the Config utility which allows us to manage our BIG-IP. Using the new password, now we’re able to start the BIG-IP setup wizard like you would any other BIG-IP. That public IP will be the target to serve traffic to the application through BIG-IP.

From here, you can also update management ports, provision modules, and of course, create the virtual server(s) and pools for your application.

Go back to the AWS console, get the private address of the webserver and that becomes the resource address for your pool.

Same thing for the virtual server. Go to AWS, grab the BIG-IP private address (as opposed to the webserver above) and that is what you enter for the virtual server.

Finish the other resource settings, including the appropriate pool and the virtual server is live and visitors can now enjoy the application. We can add whatever services and profiles we need for a fast, available and secure application.

The time of year when crystal balls get a viewing and many pundits put out their annual predictions for the coming year. Rather than thinking up my own, I figured I’d regurgitate what many others are expecting to happen.

10 IoT Predictions for 2017 – IoT was my number 1 in The Top 10, Top 10 Predictions for 2016 and no doubt, IoT will continue to cause havoc. People focus so much on the ‘things’ themselves rather than the risk of an internet connection. This list discusses how IoT will grow up in 2017, how having a service component will be key, the complete mess of standards and simply, ‘just because you can connect something to the Internet doesn’t mean that you should.’

10 Cloud Computing Trends to Watch in 2017 - Talkin' Cloud posts Forrester’s list of cloud computing predictions for 2017 including how hyperconverged infrastructures will help private clouds get real, ways to make cloud migration easier, the importance (or not) of megaclouds, that hybrid cloud networking will remain the weakest link in the hybrid cloud and that, finally, cloud service providers will design security into their offerings. What a novel idea.

2017 Breach Predictions: The big one is inevitable – While not a list, per se, NetworkWorld talks about how we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation. Political manipulation? No, that’ll never happen. NW talks about how cyber attacks will get worse due to IoT and gives some ideas on how to protect your data in 2017.

Torrid Networks’ Top 10 Cyber Security Predictions For 2017 – Dhruv Soi looks at the overall cyber security industry and shares that many security product companies will add machine learning twist to their products and at the same time, there will be next-gen malware with an ability to bypass machine learning algorithms. He also talks about the fast adoption of Blockchain, the shift towards mobile exploitation and the increase of cyber insurance in 2017.

Fortinet 2017 Cybersecurity Predictions: Accountability Takes the Stage - Derek Manky goes in depth with this detailed article covering things like how IoT manufacturers will be held accountable for security breaches, how attackers will begin to turn up the heat in smart cities and if technology can close the gap on the critical cyber skills shortage. Each of his 6 predictions include a detailed description along with risks and potential solutions.

2017 security predictions – CIO always has a year-end prediction list and this year doesn’t disappoint. Rather than reviewing the obvious, they focus on things like Dwell time, or the interval between a successful attack and its discovery by the victim. In some cases, dwell times can reach as high as two years! They also detail how passwords will eventually grow up, how the security blame game will heat up and how mobile payments, too, will become a liability. Little different take and a good read.

Predictions for DevOps in 2017 – I’d be remiss if I didn’t include some prognosis about DevOps - one of the most misunderstood terms and functions of late. For DevOps, they will start to include security as part of development instead of an afterthought, we’ll see an increase in the popularity of containerization solutions and DZone sees DevOps principals moving to mainstream enterprise rather than one-off projects.

10 top holiday phishing scams – While many of the lists are forward-looking into the New Year, this one dives into the risks of the year end. Holiday shopping. A good list of holiday threats to watch out for including fake purchase invoices, scam email deals, fake surveys and shipping status malware messages begging you to click the link. Some advice: Don’t!

Bonus Prediction!

Top 10 Most Popular Robots to Buy in 2017 – All kinds of robots are now entering our homes and appearing in society. From vacuums to automated cars to drones to digital assistants, robots are interacting with us more than ever. While many are for home use, some also help with the disabled or help those suffering from various ailments like autism, a stroke or even a missing limb. They go by many monikers like Asimo, Spot, Moley, Pepper, Jibo and Milo to name a few.

Are you ready for 2017?

If you want to see if any of the previous year’s prognoses came true, here ya go:

A hybrid infrastructure allows organizations to distribute their applications
when it makes sense and provide global fault tolerance to the system overall.
Depending on how an organization’s disaster recovery infrastructure is designed,
this can be an active site, a hot-standby, some leased hosting space, a cloud
provider or some other contained compute location. As soon as that server,
application, or even location starts to have trouble, organizations can
seamlessly maneuver around the issue and continue to deliver their applications.

Driven by applications and workloads, a hybrid environment is a technology
strategy to integrate the mix of on premise and off-premise data compute
resources. In this Lightboard Lesson, I explain how BIG-IP can help facilitate
hybrid infrastructures.

My 5th grader has a Chromebook for school. She loves it and it allows her access to school applications and educational tools where she can complete her assignments and check her grades. But if 5th grade is a tiny dot in your rear-view and you’re looking to deploy Chromebooks in the enterprise, BIG-IP v12 can secure and encrypt ChromeOS device access to enterprise networks and applications. With network access, Chromebook users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their Chrome OS devices.

From an employee’s perspective, it is very easy to get the SSLVPN configured. Log on to a Chromebook, open Chrome Web Store, search for ‘F5 Access’ and press the +ADD TO CHROME button. Add app when the dialogue box pops and F5 Access will appear in your ‘All Apps’ window.

Next, when launched, you’ll need to accept the license agreement and then add a server from the Configuration tab:

Next, give it a unique name, enter the BIG-IP APM server URL and optionally add your username and password. Your password will not be cached unless that’s allowed by the APM Access Policy. You can also select a client certificate if required. Once configured, it’ll appear in the list. You can also have multiple server configurations if needed:

To connect, click the bottom tray bar and select the tile that says, ‘VPN Disconnected.’

And select the server configured when setting up the app. Depending on the configuration, you’ll either get the native login window or the WebTop version:

Once connected, there won’t be any indication in the tray but if you click it, you’ll see the connection status in the same VPN area as above and it’ll show ‘connected’ within the F5 Access app:

As you can see in the above image, you can also check Statistics and Diagnostics if those are of interest. To end the connection, click the tray again, select the VPN tile and click Disconnect.

For administrators, it’s as simple as adding a ‘ChromeOS’ branch off the ClientOS VPE action:

F5iApps are user-customizable frameworks for deploying applications that enablesyou to ‘templatize’ sets of functionality on your F5 gear. You can automate theprocess of adding virtual servers or build a custom iApp to manage your iRulesinventory.

Applicationready templates were introduced in BIG-IP v10 and the goal was to provide awizard for the often deployed applications like Exchange, SharePoint, Citrix,Oracle, VMware and so forth. This allowed the abstraction some of theconfiguration details and reduced the human error when following the pages ofthe thick deployment guides for those applications. Application templates weregreat but there was no way to customize the template either during thedeployment or adjust it after.

Introducedin TMOS v11, iApps is the current BIG-IP system framework for deployingservices-based, template-driven configurations on BIG-IP systems. iApps bundlesall of the configuration options for a particular application together.

Roughly athird of F5 customers use iApps and they are especially popular for morecomplex configurations, like Microsoft Exchange, for example, which requires upto 1200 mouse clicks to configure manually and only 50 mouse clicks toconfigure with the iApp. iApps are also often used to roll out similarconfigurations to multiple BIG-IP's. Some customers run hundreds of iApps, somerun none--the choice is yours.

Hereis one example of iApp customization and its evolution. When we released SAMLsupport in v11.3, many customers wanted to use BIG-IP APM as a SAML IdentityProvider (IdP) for Office365 but there are a few steps to configure that inBIG-IP. Configure Active Directory, then SAML, then the access policy and soforth. One of our very smart Security Architects, Michael Koyfman, wanted tomake that task simple, repeatable and accurate.

He decidedto write an O365 iApp and posted it to DevCentral where there was immediateinterest from the community. From that, Product Development engineers rewroteit to follow their libraries and best practices and then moved to the supportedstatus. You can now use this F5supported iApp template to configure the BIG-IP system as a SAML IdP toMicrosoft Office 365 applications, such as Exchange and SharePoint. Thistemplate configures the BIG-IP APM system as an IdP for Office 365 to performsingle sign-on (SSO) between the local Active Directory user accounts andOffice 365-based resources such as Microsoft Outlook Web App and MicrosoftSharePoint.

But we didn’tstop there.

Since it isthe same framework and easily extensible to add more services to an iApp, theytook it a step further. With the O365 iApp as the basis, the team then built a SaaS FederationiApp which allows you to configure BIG-IP APM as SAML IdP to 11 commonlyused SaaS applications including Salesforce, Concur, WebEx, O365 and others.Now, with a single iApp, you can federate your employees to many SaaSapplications easily, efficiently and securely. This iApp also went through abeta period on DevCentral and was recently released as a F5 supported iApp.

UI configurations for the SaaS iApp

Summary of configurations for the SaaSiApp

So if youneed quick and easy way to deploy your applications, look no further than F5iApps. You can use the F5 built iApps, you can customize F5 built iApps or youcan build your own iApps. Your applications, infrastructure and business willthank you.

There once was a time when organizations
wouldn’t consider deploying critical applications in the cloud. It was too much
of a business risk from both an access and an attack perspective—and for good
reason, since 28
percent of enterprises have experienced more security breaches in the public
cloud than with on-premises applications. This is changing, however. Over
the last few years, cloud computing has emerged as a serious option for
delivering enterprise applications quickly, efficiently, and securely. Today
almost 70 percent of organizations are using some cloud technology. And that
approach continues to grow. According to the latest Cisco
Global Cloud Index report, global data center IP traffic will nearly triple
over the next five years. Overall, data center IP traffic will grow at a
compound annual growth rate of 25 percent from 2012 to 2017.

This growth is to support our on-demand, always connected lifestyle, where
content and information must be accessible/available anytime, anywhere, and on
any screen. Mobility is the new normal, and the cloud is the platform to deliver
this content. No wonder enterprises are scrambling to add cloud components to
their existing infrastructure to provide agility, flexibility, and secure access
to support the overall business strategy. Applications that used to take months
to launch now take minutes, and organizations can take advantage of innovations
quickly. But most IT organizations want the cloud benefits without the risks.
They want the economics and speed of the cloud without worrying about the
security and integration challenges.

Use of the corporate network itself has become insecure, even with firewalls
in place. Gone are the days of “trusted” and “untrusted,” as the internal
network is now dangerous. It'll only get worse once all those IoT wearables hit
the office. Even connecting to the corporate network via VPN can be risky due to
the network challenges. Today, almost anything can pose a potential security
risk, and unauthorized access is a top data security concern.

Going against the current trend, some organizations are now placing critical
applications in the cloud and facing the challenge of providing secure user
access. This authentication is typically handled by the application itself, so
user credentials are often stored and managed in the cloud by the provider.
Organizations, however, need to keep close control over user credentials, and
for global organizations, the number of identity systems can be in the
thousands, scattered across geographies, markets, brands, or acquisitions. It
becomes a significant challenge for IT to properly authenticate the person
(whether located inside or outside the corporate network) to a highly available
identity provider (such as Active Directory) and then direct them to the proper
resources. The goal is to allow access to corporate data from anywhere with the
right device and credentials. Speed and productivity are key.

Authentication, authorization, and encryption help provide the fine-grained
access, regardless of the user’s location and network. Employee access is
treated the same whether the user is at a corporate office, at home, or
connected to an open, unsecured Wi-Fi network at a bookstore. This eliminates
the traditional VPN connection to the corporate network and also encrypts all
connections to corporate information, even from the internal network.

In this scenario, an organization can deploy the BIG-IP platform, especially virtual
editions, in both the primary and cloud data centers. BIG-IP intelligently
manages all traffic across the servers. One pair of BIG-IP devices sits in front
of the servers in the core network; another pair sits in front of the directory
servers in the perimeter network. By managing traffic to and from both the
primary and directory servers, the F5 devices ensure the availability and
security of cloud resources—for both internal and external (federated)
employees. In addition, directory services can stay put as the BIG-IP will
simply query those to determine appropriate access.

While there are some
skeptics, organizations like GE
and Google
are already transitioning their corporate applications to cloud deployments and
more are following. As Jamie
Miller, President & CEO at GE Transportation, says, 'Start Small,
Start Now.'

The time of year when crystal balls get a viewing and many pundits put out
their annual predictions for the coming year. Rather than thinking up my own, I
figured I’d regurgitate what many others are expecting to happen.

7
Future Predictions for the Internet of Things – IoT is one of the
hottest terms and trends. From connected cars, homes, businesses and more,
connected devices are becoming more prevalent in our lives. Stable Kernel looks
at the future economic growth, development of smart cities, wearables, privacy
challenges and how voice commands will become the norm.

Forrester’s
top 10 predictions for business in 2016 — and what they mean for tech –
Computerworld summarizes Forrester’s top 10 predictions and how 2016 will be the
year that the companies that thrive will be those advancing down the customer
obsession path. They look at critical business issues like loyalty, analytics,
personalization and how privacy will become a value to which customers will
respond. You need to live a customer-obsessed operating model to survive.

IBM
predicts tech world of 2016 – At number 5, IBM has published its 6th
annual Five in Five - where it predicts five innovations that will change all of
our lives in the next five years, with mind-reading machines apparently set to
be interpreting our thoughts by 2016. From generating our own energy to no more
passwords to almost everyone having some sort of mobile technology, IBM Labs is
exploring these emerging technologies.

DDoS
Predictions for 2016, IBM Insights – Also from Big Blue, they are
sharing insight into new types of DDoS attacks that are to be expected during
the coming year. DDoS is no longer a nagging problem but a bona fide technique
to disable a company’s resources. BitTorrent, malicious JavaScript and Temporal Lensing DDoS
(pdf) attacks are all explained. As
I’ve mentioned before, there have always been protesters and activists -
some write letters, some picket on the sidewalk, some throw rocks and with the
advent of the internet, now you can protest (and more) by creating digital
havoc.

5
IT industry predictions for 2016 from Forrester and IDC – CIO.com hits
on the 2016 predictions of IDC and Forrester, two of the largest analyst firms.
In their distillation, there could be a bleak future for legacy vendors since
according to IDC, ‘by 2020, more than 30 percent of the IT vendors will not
exist as we know them today.’ There will also be some cloud consolidation,
big data gets even bigger and traditional enterprises will turn into software
companies. Software developers will become a scarce commodity.

10+1
Commandments For Companies Developing Wearable Health Trackers – Many of
us will be getting a wearable or two this holiday season so ScienceRoll rolled
up it’s 10+1 commandments every company developing wearable health trackers
should follow. Practical value, online communities, long live batteries and
gamification are what user’s desire. We know you want to make money but focus on
helping people live a healthier life.

In-depth:
Top 10 Internet of Things companies to watch – We started with IoT and
figured I’d caboose this with another. RCRWireless digs in to the top players in
both Industrial IoT and Consumer IoT. Many of the names are familiar: Cisco,
IBM, ATT, Google, GE, Samsung and a few others are already hedging their future
on all these connected nouns. See what these organizations are doing both
internally and externally to embrace IoT and take advantage of this proposed multi-trillion
dollar market opportunity.

And if you want to see if any of the previous year’s predictions came true,
here ya go:

Programmability and orchestration are critically important with cloud
deployments and Alex Applebaum, Sr. Product Management Engineer, explains why
and talks about ways organizations can use BIG-IP programmability in the cloud.
Yet another critical F5 service, always available on the BIG-IP platform, now
enabled for the cloud.

IoT applications will come in all shapes and sizes but no matter the size,
availability is paramount to support both customers and the business. The most
basic high-availability architecture is the typical three-tier design. A pair of
ADCs in the DMZ terminates the connection. They in turn intelligently distribute
the client request to a pool (multiple) of IoT application servers which then
query the database servers for the appropriate content. Each tier has redundant
servers so in the event of a server outage, the
others take the load and the system stays available.

This is a tried and true design for most operations and provides resilient
application availability, IoT or not, within a typical data center. But fault
tolerance between two data centers is even more reliable than multiple servers
in a single location, simply because that one data center is a single point of
failure.

In order to achieve or even maintain continuous IoT application availability
and keep up with the pace of new IoT application rollouts, organizations must
explore expanding their data center options to the cloud, to ensure IoT
applications are always available. Having access to cloud resources provides
organizations with the agility and flexibility to quickly provision IoT
services. The Cloud offers organizations a way to manage IoT services rather
than boxes along with just-in-time provisioning. Cloud enables IT as a Service,
just as IoT is a service, along with the flexibility to scale when needed.

Integrating cloud-based IoT resources into the architecture requires only a
couple of pieces: connectivity, along with awareness of how those resources are
being used.

Once a connection is established and network bridging capabilities are in
place, resources provisioned in the cloud can be non-disruptively added to the
data center-hosted pools. From there, load is distributed per the ADC platform’s
configuration for the resource, such as an IoT application.The connectivity between a data center and the cloud is
generally referred to as a cloud
bridge. The cloud bridge connects the two data center worlds securely and
provides a network compatibility layer that “bridges” the two networks. This
provides a transparency that allows resources in either environment to
communicate without concern for the underlying network topology.

By integrating your enterprise data center to external clouds, you make the
cloud a secure extension of the enterprise’s IoT network. This
enterprise-to-cloud network connection should be encrypted and optimized for
performance and bandwidth, thereby reducing the risks and lowering the effort
involved in migrating your IoT workloads to cloud.

Maintain seamless delivery

This hybrid infrastructure approach, including cloud resources, for IoT
deployments not only allows organizations to distribute their IoT applications
and services when it makes sense but also provides global fault tolerance to the
overall system. Depending on how an organization’s disaster recovery
infrastructure is designed, this can be an active site, a hot standby, a leased
hosting space, a cloud provider, or some other contained compute location. As
soon as that IoT server, application, or even location starts to have trouble,
an organization can seamlessly maneuver around the issue and continue to deliver
its services to the devices.

Advantages for a range of industries

The various combinations of hybrid infrastructure types can be as diverse as
the IoT situations that use them.

Enterprises probably already have some level of hybrid, even if it is a mix
of owned space plus SaaS. They typically prefer to keep sensitive assets
in-house but have started to migrate workloads to hybrid data centers. Financial
industries have different requirements than retail. Retail will certainly need a
boost to their infrastructure as more customers will want to test IoT devices in
the store.

The Service Provider industry is also well on their way to building out IoT
ready infrastructures and services. A major service provider we are working with
is in the process of deploying BIG-IP Virtual Editions to provide ADC
functionality needed for the scale and flexibility of the carrier’s connected
car project. Virtualized solutions are required for Network Functions
Virtualization (NFV) to enable the agility and elasticity necessary to support
the IoT infrastructure demands.